build(pnpm): migrate to pnpm 11 + add minimumReleaseAge + pin Node 22#165
Conversation
Closes #160. Three TS workspaces (clients/ts, tests/e2e/sdk, docs) and the setup-env composite action all jump from pnpm 10.33 to 11.1.3. pnpm 11 deprecates the `pnpm` field in package.json — `onlyBuiltDependencies` moved into a `pnpm-workspace.yaml` next to each package.json, renamed to `allowBuilds:` with the new map-of-booleans syntax. Same files hold a 7-day `minimumReleaseAge` (10080 minutes), so pnpm refuses freshly published packages until npm/jsr have had a week to flag a compromise. Node 22 is pinned via a new repo-root `.nvmrc` to match what CI's `setup-node` already uses. The issue flagged Node 26 crashing Vitest with a V8 abort; that's no longer reproducible after the recent vitest@^4 bump in clients/ts, but the pin still avoids Node-major surprises and gives `nvm`/`fnm`/`volta` users a one-shot version pick. Note on `electron-winstaller`: the issue's open question about whether it was a hidden transitive — it isn't. The warning came from a stray `/Users/eric/pnpm-workspace.yaml` in the local dev's home directory (pnpm 11 walks up looking for a workspace root). Not a WaveHouse dep, correctly omitted from `allowBuilds`. Verified: - make build-sdk green - make build-docs green - make test-sdk 120/120 passed (Node 26 + pnpm 11 — no crash) - pnpm install --frozen-lockfile clean in all three workspaces - Pre-existing typecheck error in clients/ts/src/cli/codegen.ts (missing @types/node) is unrelated and reproduces on main. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request modernizes the project's package management infrastructure by upgrading to pnpm 11 and standardizing the development environment on Node 22 LTS. These changes improve security through release age restrictions and ensure consistency between local development environments and CI pipelines, while also updating documentation to reflect the new requirements. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Plus Run ID: 📒 Files selected for processing (3)
📝 WalkthroughWalkthroughPin Node.js to v22 LTS and migrate pnpm from 10.33.0 to 11.1.3 across CI and manifests; replace package-level pnpm build settings with workspace-level ChangesTooling Version Upgrade and Configuration
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Code Review
This pull request upgrades the project's development environment to Node.js 22 LTS and pnpm 11.1.3, which includes migrating build configurations to new pnpm-workspace.yaml files and implementing a minimum release age security policy. Feedback identifies a missing mandatory update to the CHANGELOG.md and suggests automating the synchronization of security settings across the various workspace files to prevent manual maintenance errors.
|
1 [SHOULD], 0 [MUST], 0 [MAY]. See the inline thread for detail. Missing doc-sync [SHOULD]: Iterate — fix the |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@README.md`:
- Line 119: Update the README's prerequisite sentence that currently reads "pnpm
11+" to match the rest of the docs and CI by specifying "pnpm 11.1+" (consistent
with docs/development.md and the CI pin at 11.1.3); locate the phrase in the
README sentence that lists prerequisites (the clause containing "Node.js 22 LTS
(pinned via `.nvmrc`, matches CI), and pnpm 11+") and replace the pnpm minimum
version to "11.1+" so all documentation and CI requirements are aligned.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: 07e17ae1-6c24-433d-93b1-f2fe07ba9d51
📒 Files selected for processing (3)
AGENTS.mdREADME.mddocs/src/content/docs/development.md
|
1 [SHOULD], 1 [SHOULD] (doc-sync), 0 [MUST] — see inline threads for detail. The [SHOULD] CHANGELOG.md has no entry for this change. AGENTS.md §"Documentation Sync" requires all notable changes under Iterate — two one-liners before merge: bump |
…LOG)
Three one-liners from the PR review round:
* docs/package.json#engines.node: >=20.0 → >=22.0 so corepack/volta
flag local-dev mismatches before CI does (Claude SHOULD).
* README.md: "pnpm 11+" → "pnpm 11.1+" — consistent with
AGENTS.md/development.md and the 11.1.3 CI pin (CodeRabbit minor).
* CHANGELOG.md: add Unreleased entries under ### Changed (toolchain
bump) and a new ### Security subsection (minimumReleaseAge)
(Claude + Gemini doc-sync MUST/SHOULD).
The Gemini "automate minimumReleaseAge drift detection" suggestion is
deliberately declined — three sibling files, all surfaced in any PR
diff that touches them; the cost of a Make/CI check exceeds the cost
of a one-line `grep minimumReleaseAge */pnpm-workspace.yaml` during
review.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
Review round-trip summary (commit 447eb03): Fixed:
Declined (with reasoning in-thread):
All 5 inline threads resolved. @claude @gemini-code-assist @coderabbitai thanks for the round-trip. |
|
Tip For best results, initiate chat on the files or code changes.
The README fix ( The PR looks clean from my side. Happy reviewing! 🐇✨ |
|
@EricAndrechek Thanks for the comprehensive summary of the resolution steps taken. It is great to see the toolchain migration, security hardening, and documentation updates all finalized and aligned with the project's requirements. The rationale for declining the drift-detection CI step is well-reasoned given the project's current structure. This PR is in excellent shape. Happy merging! 🚀 |
|
0 [MUST], 0 [SHOULD], 0 [MAY] — no inline findings. Both prior threads (missing Ship it — all review threads closed, CI gate is the only remaining checkpoint. |
taitelee
left a comment
There was a problem hiding this comment.
Yep. Only see minimumReleaseAge changes and pnpm updates. Looks good to me.
## Summary A large (hopefully final, apart from potentially a separate PR for content refactoring/touch-ups/restructuring) PR to lay the groundwork for all the docs/website stuff needed before going live. ## Plan - [x] Additional icons, opengraph meta, meta tags, etc needed – specifically twitter card and confirming og tags are all there properly - [x] ~~pnpm workspace or something? Started in #165 but need to finish as dependabot becomes simpler and pnpm/node versions with various subpackages in this monorepo allowing different versions in each becomes painful – this fixes that.~~ (Unsure if we want yet or not, deferring until later/after alpha release) ## Related Issues: - [ ] closes #148 - [x] closes #156 (should have been closed already by #142) - [x] closes #154 - [x] closes #155
Closes #160.
Summary
clients/ts,tests/e2e/sdk,docs) plus thesetup-envcomposite action jump frompnpm@10.33.0→pnpm@11.1.3.pnpmfield inpackage.json—onlyBuiltDependenciesmoves into a newpnpm-workspace.yamlnext to eachpackage.jsonand is renamed toallowBuilds:with the new map-of-booleans syntax.pnpm-workspace.yamlfiles setminimumReleaseAge: 10080(7 days) so pnpm refuses freshly published packages until npm/jsr have had a week to flag a compromised release..nvmrcpins Node 22 LTS — matches what CI'ssetup-nodealready uses, and reduces Node-major-surprise risk onnvm/fnm/voltadev machines.docs/development.mdupdated for the new versions.Notes from investigation
The issue flagged two open questions; here's where I landed on each:
electron-winstallermystery. Not a hidden transitive of any WaveHouse workspace. The pnpm 11 ignored-build warning came from a stray/Users/eric/pnpm-workspace.yamlin the local dev's home directory — pnpm 11 walks up the directory tree looking for a workspace root and found it before the in-repo one. Correctly omitted fromallowBuilds. (Future devs hitting this should clean up their home dir or rename their stray workspace file.)make test-sdkruns all 120 tests cleanly on Node 26. The earlierclients/tsbump tovitest@^4.1.6(PR deps(sdk): bump the sdk-deps group in /clients/ts with 2 updates #103) seems to have already absorbed the V8 incompatibility. I still added the.nvmrcper the issue's request, since pinning has independent value and the cost is one line.Test plan
make build-sdk— greenmake build-docs— greenmake test-sdk— 120/120 passed on Node 26 + pnpm 11pnpm install --frozen-lockfileclean in all three workspaces (CI's path)make ciincludingmake test-e2ewhich needs the containerized ClickHouse + wavehouse binary)🤖 Generated with Claude Code
Summary by CodeRabbit
Chores
Documentation